Efuse DISABLE_DL_DECRYPT

Seungwhan
Posts: 15
Joined: Mon Jul 29, 2019 11:23 pm

Efuse DISABLE_DL_DECRYPT

Postby Seungwhan » Tue Sep 10, 2019 8:44 pm

Hi,

Let's say we
- enable flash encryption
- write 1 to DISABLE_DL_DECRYPT

What happens if we hold down GPIO0 and GPIO2 during reset?
Does the ROM Bootloader put the CPU into the state so that it can communicate with PC over UART?
(or in short, does CPU go into UART bootloader mode?)
Will the PC be able to send stub_code to CPU?
If so will the stub_code run?
Is it just that you can't read out Flash contents?
Or maybe you still can read the Flash contents but it will be just meaningless because of encryption.

Thanks for reading!

ESP_Angus
Posts: 1815
Joined: Sun May 08, 2016 4:11 am

Re: Efuse DISABLE_DL_DECRYPT

Postby ESP_Angus » Wed Sep 11, 2019 1:24 am

Hi Seungwhan,
Seungwhan wrote:
Tue Sep 10, 2019 8:44 pm
Or maybe you still can read the Flash contents but it will be just meaningless because of encryption.
This is 100% correct.

On current ESP32 we don't prevent any other interactions in the UART download mode, but if DISABLE_DL_DECRYPT is set then flash decryption will not work in UART download mode, so the only data that can be read is the ciphertext (the same data could be read by attaching a SPI flash programmer to the flash chip and reading out this way.)

Note that it's important to burn both of the DISABLE_DL_ENCRYPT & DISABLE_DL_DECRYPT efuses to get this protection (otherwise attacker can write a small encrypted firmware that decrypts and dumps the rest of the firmware when booted). ESP-IDF should set these efuses automatically if you follow the flash encryption process in the docs.

Seungwhan
Posts: 15
Joined: Mon Jul 29, 2019 11:23 pm

Re: Efuse DISABLE_DL_DECRYPT

Postby Seungwhan » Wed Sep 11, 2019 7:26 pm

Thanks for the explanation, ESP_Angus.

But even with all the efuses like DISABLE_DL_DECRYPT, DISABLE_DL_ENCRYPT and DISABLE_DL_CACHE, the fact that attackers code can run on the CPU's RAM makes me a little nervous.
Wish you had capability to entirely block the uart bootloader.

WiFive
Posts: 2687
Joined: Tue Dec 01, 2015 7:35 am

Re: Efuse DISABLE_DL_DECRYPT

Postby WiFive » Thu Sep 12, 2019 2:42 am

Yes, it is a valid point. There should be an efuse to completely disable uart... although researchers have also bypassed efuses with hardware attacks. Hopefully the new chip will have it along with the anti-glitch hardware.

Who is online

Users browsing this forum: MSN [Bot] and 3 guests